I’m hoping that, by now, you’ve heard of “Let’s Encrypt,” a free project by the non-profit Internet Security Research Group. The project is currently in public beta, but sometime in the new year, we can expect it to launch for everyone. And the timing couldn’t be better.
First, let’s catch everyone up. The EFF, Mozilla, Cisco, Akamai, IdenTrust, and researchers at the University of Michigan got together last year and began building a free way to get a security certificate. If you’ve ever had to deal with a certificate authority, this should come as a great relief.
First of all, Let’s Encrypt is free, so there are no purchase orders to write. Second of all, Let’s Encrypt actually handles the whole process around the certificate, which means they can get you updated certs as soon as they expire.
If you’ve been reading the technology news at all for the past 10 years, you likely know that even Google and Microsoft have let their certs lapse from time to time. This results in users bouncing off your site with warnings that the site may not be valid or may be compromised in some way.
(To be honest, I’ve only ever had that warning pop up for sites with expired certificates; never have I come to a falsified site in the wild, though I am aware they do exist.)
Fortunately, though, Let’s Encrypt really does solve the biggest problems with security certs: renewals and expiration. When you’re in a humongous company that can’t actually pay for things with credit cards, or change anything in an outward-facing server, jumping through the hoops needed to get a valid cert can be incredibly painful.
Let’s hope Let’s Encrypt ends this silliness. Because if Let’s Encrypt can help to end the difficulties surrounding security certificates, maybe it can eventually help us put down the most ridiculous thing that is currently happening in security: the call by the FBI and other American law enforcement organizations for an end to encryption.
The sheer stupidity of this demand clearly shows how un-technically savvy these agencies are. It worries me greatly that the organization tasked with tracking down computer criminals believes that eliminating encryption, or putting backdoors into encryption software, is even a viable option, let alone the answer to their problems.
Clearly, the United States is scared and confused by all of the Daesh-based activity and attacks around the world, and some kneejerk reactions are to be expected. Many people, myself included, are calling for a just-as-ridiculous ban of all firearms of all kinds.
Isn’t that insane? Aren’t I crazy for thinking that we should ban all guns? Then, only criminals would have guns, and security guards and police officers would have to physically restrain people who may have guns themselves!
I wager that my personal belief that all guns should be banned, however, is just as silly and impossible as banning encryption or putting backdoors into things like AES. If encryption is illegal, only criminals will encrypt!
We’ve been through this before, anyway. For years, computing hardware power was capped for exports due to silly encryption restrictions put in place by Congress for the NSA. The idea was that if a computer was powerful enough to run high-level encryption (for instance, 256-bit keys back then), you could not sell that piece of hardware overseas.
These crazy restrictions were rarely enforced, and if they were, it was to keep computers from going to places like Iran and the Soviet Union’s allies. Still, despite the silly nature of the law, the almost impossibility of enforcing it, and the utterly terrible way in which it was written, some American companies were forced to keep their equipment from being sold overseas entirely.
But surely we should return to those byzantine days, right? Surely the only thing keeping the NSA from reading all Internet traffic all the time is the encryption schemes people use. It couldn’t possibly be the fact that trying to read all the traffic on the Internet and analyze it in real time to assess threats is a boil-the-ocean idea that could never, and will never be possible, even with no encryption?
Long story short: Encrypt those sites, people. The government doesn’t want you to do it, so all the more reason to go hog wild with cryptography. Just be like any gun nut and tell them, “From my cold, dead hands.”